The Jenkins project has issued a critical security advisory detailing vulnerabilities in five widely used plugins: Cadence vManager, DingTalk, Health Advisor by CloudBees, OpenID Connect Provider, and WSO2 Oauth.
These flaws, ranging from medium to critical severity, could allow attackers to bypass authentication, execute malicious code, or gain unauthorized access to sensitive systems. Immediate action is urged for Jenkins administrators to mitigate risks to their CI/CD pipelines.
Critical Vulnerabilities Uncovered
The advisory highlights two critical vulnerabilities with CVSS scores of 9.1 and 9.8, posing severe risks to Jenkins environments:
.png
)
OpenID Connect Provider Plugin (CVE-2025-47884, CVSS: 9.1): A flaw in versions 96.vee8ed882ec4d and earlier allows attackers to manipulate build ID tokens by overriding environment variables, such as those enabled by plugins like Environment Injector.
This could let attackers impersonate trusted jobs, potentially accessing external services. The issue is fixed in version 111.v29fd614b_3617, which ignores overridden environment variables.
WSO2 Oauth Plugin (CVE-2025-47889, CVSS: 9.8): Versions 1.0 and earlier fail to validate authentication claims, allowing unauthenticated attackers to log in with any username and password.
While sessions lack group privileges, the impact depends on the authorization strategy. For instance, the “Logged-in users can do anything” strategy grants full administrative access. No fix is available, leaving systems exposed.
Additional High and Medium Severity Flaws
Other vulnerabilities include:
Health Advisor by CloudBees Plugin (CVE-2025-47885, CVSS: High): Versions 374.v194b_d4f0c8c8 and earlier are susceptible to stored cross-site scripting (XSS) due to unescaped server responses. Attackers controlling the Jenkins Health Advisor server could exploit this to inject malicious scripts. Version 374.376.v3a_41a_a_142efe resolves the issue by escaping responses.
Cadence vManager Plugin (CVE-2025-47886, CVE-2025-47887, CVSS: Medium): Versions 4.0.1-286.v9e25a_740b_a_48 and earlier lack permission checks and are vulnerable to cross-site request forgery (CSRF). Attackers with Overall/Read permission could connect to malicious URLs using attacker-specified credentials. Version 4.0.1-288.v8804b_ea_a_cb_7f enforces stricter permissions and POST requests.
DingTalk Plugin (CVE-2025-47888, CVSS: Medium): Versions 2.7.3 and earlier disable SSL/TLS certificate and hostname validation for webhook connections, risking man-in-the-middle attacks. No fix is available, increasing exposure for users.
Affected Versions and Fixes
The vulnerabilities affect the following plugin versions:
| Plugin Name | Current Version | Update Available |
|---|---|---|
| Cadence vManager Plugin | Up to 4.0.1-286.v9e25a_740b_a_48 | 4.0.1-288.v8804b_ea_a_cb_7f |
| DingTalk Plugin | Up to 2.7.3 | No fix available |
| Health Advisor by CloudBees Plugin | Up to 374.v194b_d4f0c8c8 | 374.376.v3a_41a_a_142efe |
| OpenID Connect Provider Plugin | Up to 96.vee8ed882ec4d | 111.v29fd614b_3617 |
| WSO2 Oauth Plugin | Up to 1.0 | No fix available |
Administrators are urged to update to the patched versions immediately. For DingTalk and WSO2 Oauth plugins, the Jenkins project has not provided fixes, citing their unmaintained status or other constraints. Users may need to disable these plugins or implement compensating controls, such as network-level security or restricted access.
These vulnerabilities underscore the risks of unmaintained or poorly configured plugins in Jenkins, a cornerstone of DevOps pipelines.
The WSO2 Oauth flaw, in particular, highlights the dangers of lax authentication in security realms, while the OpenID Connect issue exposes the pitfalls of environment variable overrides in complex CI/CD setups.
The advisory also ties into broader concerns about software supply chain security, where tools like Jenkins are prime targets. Malicious actors could exploit these flaws to inject code, escalate privileges, or manipulate build processes, potentially compromising downstream software.
Jenkins administrators should:
- Update Affected Plugins: Apply the latest patches for Cadence vManager, Health Advisor by CloudBees, and OpenID Connect Provider plugins.
- Disable Unfixed Plugins: Consider removing DingTalk and WSO2 Oauth plugins until fixes are available, or isolate their functionality.
- Enhance Security Controls: Enforce least-privilege access, enable signed commits, and monitor CI/CD logs for anomalies.
- Audit Commit History: Use external logging and immutable mirrors to detect timestamp manipulation, as outlined in Commit Stomping defenses.
- Stay Informed: Monitor Jenkins security advisories and plugin repositories for updates.
How to Discover Vulnerable External Assets Associated with a Domain or an IP? -> Try Cyber Asset Finder for Free
